urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community - Tags - trend The IBM Software blog promotes thoughtful discussions and perspectives on how software is changing the way we live and do business.52015-07-17T23:37:26-04:00IBM Connections - Blogsurn:lsid:ibm.com:blogs:entry-aa1f96ad-733c-444a-9746-98d411517855Is your application security scanner smarter than a 5th grader?Bryan CaseyBFCASEY@US.IBM.COM270003BSJVactivebcde08b8-816c-42a8-aa37-5f1ce02470a9Comment Entriesapplication/atom+xml;type=entryLikes2013-04-03T15:08:27-04:002013-04-03T15:15:20-04:00
<div><a '="" href="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/resource/BLOGS_UPLOADED_IMAGES/application-security-scanner-smarter-than-a-5th-grader_ibm-security-xforce-report.jpg
" target="_blank"><img alt="image" src="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/resource/BLOGS_UPLOADED_IMAGES/application-security-scanner-smarter-than-a-5th-grader_ibm-security-xforce-report.jpg
" style=" display:block; margin: 0 auto;text-align: center; position:relative;"></a>&nbsp; <br></div><h1>XSS vulnerabilities and security technology that thinks more like <i>you</i></h1><div>&nbsp;</div>
<p>Learning about the world around us and then modifying our opinions and actions as we learn more is a skill that we aspire to teach in every classroom, and it is a process that informs how we think about making technology a little bit smarter. </p><div>&nbsp;</div>
<h1>XSS vulnerabilities represent a serious challenge for organizations </h1><div>&nbsp;</div>
<p>In 2012 the number of reported web application vulnerabilities rose 14% YtY, with over 3,500 new web application vulnerabilities disclosed last year. Of these, the two most commonly reported web application vulnerabilities were SQL injection and XSS, with XSS accounting for the majority. According to the <a href="http://ibm.co/xforce12">2012 IBM X-Force Trend and Risk Report</a>, 53% of all disclosed vulnerabilities in web applications were XSS vulnerabilities. <br>
<br>
<a href="http://ibm.co/xforce12"><br></a><a href="http://ibm.co/xforce12" target="_blank"><img alt="image" src="https://www-304.ibm.com/connections/blogs/bcde08b8-816c-42a8-aa37-5f1ce02470a9/resource/BLOGS_UPLOADED_IMAGES/download-ibm-xforce-report-security.jpg" style=" display:block; margin: 0 auto;text-align: center; position:relative;"></a><br>
<br>
Leveraging XSS vulnerabilities allows an attacker to inject and fold their malicious content into whatever content the compromised website delivers to users’ browsers. Because the content was distributed through a legitimate and trusted source, it has all the associated privileges of that site, perhaps most importantly, access to session and cookie info. This is useful to an attacker because it can provide them with legitimate access credentials, which then allows them to impersonate users. </p><div>&nbsp;</div>
<h1>Helping to keep organizations protected </h1><div>&nbsp;</div>
<p>The increasing number of XSS vulnerabilities has proven to be a sustained trend. Organizations should take some time to consider how well they are defending themselves against the potential exploitation of these security issues. For years, IBM's application security scanning technology has placed highest in 3rd party tests <a href="http://blog.watchfire.com/wfblog/2012/08/the-most-comprehensive-web-application-security-scanner-comparison-available-marks-appscan-standard-as-the-leader.html">(2012 results</a>, <a href="http://blog.watchfire.com/wfblog/2011/08/the-ultimate-web-app-security-scanner-comparison-published-appscan-standard-leads-the-pack.html">2011 results</a>) that have sought to quantify which application vulnerability scanning technology was the most accurate and uncovered the most of these security flaws. </p><div>&nbsp;</div><p>This is also a space where we have continued to push forward and innovate. When we <a href="https://www-304.ibm.com/jct03001c/press/us/en/pressrelease/37901.wss">announced AppScan 8.6 last summer</a>, many of the headlines about the release were about the support for Android applications. However, also within that release was the announcement of our new and improved XSS Analyzer. This was no incremental improvement either, this was a huge step forward in how automated software can detect XSS vulnerabilities. <a href="https://www-304.ibm.com/jct03001c/press/us/en/pressrelease/40403.wss"><br></a></p><div>&nbsp;</div><p><a href="https://www-304.ibm.com/jct03001c/press/us/en/pressrelease/40403.wss">[Read more about the latest AppScan release, security for iOS applications]</a></p><div>&nbsp;</div><p>Anyone familiar with this space knows that actually exploiting a XSS vulnerability typically requires finding ways to understand and creatively work around any input validation mechanisms. Input validation mechanisms make it more difficult for an attacker to drop his or her own code into a web application, code that the victim’s browser recognizes as a command and then runs. Validating these inputs is essentially a way to make sure your application can only be used to do the things you've designed it for. </p><div>&nbsp;</div>
<h1>Security technology that thinks more like you </h1><div>&nbsp;</div>
<p>Traditional scanners send a few dozen generic requests from a fixed list of potential exploits when looking for XSS vulnerabilities. These would be attacks are often unsuccessful because they are not specific enough to the environment, or because they are blocked by input validation. When the scanners get negative answers, they don't learn from them, they don't allow the first request to inform the second. This is something a human penetration tester does intuitively, but human intuition has always been difficult to replicate in computer systems. </p><div>&nbsp;</div><p>Penetration testers today have a much more useful methodology in the way they attempt to find vulnerabilities in applications. They do so by beginning with casting a series of wide nets. At the first hint they might be on the right track they essentially start asking an increasingly more specific sequence of questions and start to close in on the ultimate target. They learn the defense mechanisms of the application and attempt to find a creative workaround that bypasses those defenses. </p><div>&nbsp;</div><p>This is the way <i>hackers</i> think and how <a href="http://blog.watchfire.com/wfblog/2012/07/announcing-xss-analyzer.html" target="_new">automated tools should approach identifying XSS vulnerabilities</a>. It's an approach based on accumulating knowledge, something central to the basic concept of data analysis and, if you wanted to go a step further, learning in general. </p><div>&nbsp;</div><p>This process has been reproduced in AppScan by identifying the context of the vulnerability and then continuing to learn more about the constraints within that context. The questions the tool asks move persistently closer to finding the answer to the question of, "where is the vulnerability in this application?" The process looks generally like this:</p><div>&nbsp;</div><ol>
<li>Begin with an empty set of constraints</li>
<li>Pick from a knowledge base a test that matches all known constraints</li>
<li>Send the test, find its reflected value in the response</li>
<li>If the reflected value is identical to the test, report a vulnerability and finish.</li>
<li>Else: split the test into parts, send them one by one to see which one triggers the input-validation mechanism</li>
<li>Learn a new constraint (based on the results of step 5)</li>
<li>Go to step #2 </li></ol><br><ol>
</ol><div>&nbsp;</div><div><p>If you are more of a visual learner, <a href="http://youtu.be/FFBHLt0HeBw">this YouTube</a> might help you understand the difference in approaches. </p><div>&nbsp;</div><div> </div><br><p>One of the factors that had to come into play for this technology to be successful was a much greater number of potential exploits so there is more specificity to cater to individual environments and varying sets of known constraints. Most scanners on the market today have 100 or so potential exploits, and we are not exaggerating when we say that <i>we have over 700,000,000!</i></p><div>&nbsp;</div><div> </div><br><p>In my head I can hear whole IT organizations leaving work early and maybe quitting their jobs altogether at the prospect of running 700,000,000 tests against an application. Don't worry, not the case at all. On average it takes about 20 requests to locate a vulnerability because each request, and the response to that request, eliminates huge volumes of possibilities. When we do locate a vulnerability, because we use this process and have such a level specificity in the exploits we ultimately send, we also keep false positives extremely low.</p><div>&nbsp;</div><br><div> </div>
<br>
<object height="315" width="420">
<embed allowfullscreen="true" allowscriptaccess="always" src="http://www.youtube.com/v/MoHzk9l05pk?hl=en_US&amp;version=3" type="application/x-shockwave-flash" height="315" width="420">
</object><p>As is frequently the case, in application security getting the right answer begins and ends with being able to ask the right set of questions. Please leave your comment below with your thoughts and follow <a href="http://twitter.com/ibmsecurity">IBM Security on Twitter</a> for the latest.</p></div><div>&nbsp;</div><p>
</p>
&nbsp; XSS vulnerabilities and security technology that thinks more like you &nbsp;
Learning about the world around us and then modifying our opinions and actions as we learn more is a skill that we aspire to teach in every classroom, and it is a process...007720urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community2015-07-17T23:37:26-04:00urn:lsid:ibm.com:blogs:entry-c41f2aa0-e93e-4e4e-969e-595d5d4c415dHow the Year of the Security Breach is Affecting the Evolving Role of the CISOBryan CaseyBFCASEY@US.IBM.COM270003BSJVactivebcde08b8-816c-42a8-aa37-5f1ce02470a9Comment Entriesapplication/atom+xml;type=entryLikes2011-09-29T13:58:36-04:002011-09-29T13:58:36-04:00<p class="MsoNormal" style=""><span style="font-size: 10pt; color: black;">When it comes to security, the challenges
we face today are, in many ways, familiar business and IT challenges.<span style="">&nbsp; </span>Based on the events of the last year, two
really significant questions have come to the forefront of the security
conversation.<span style="">&nbsp; </span>The first is around the
level of investment and how to more strategically prioritize both spend and
skills.<span style="">&nbsp; </span>The second is around the nature
of the technology conversation.<span style="">&nbsp; </span>Today,
we need to focus more on not just buying the latest and greatest, but making
sure the latest and greatest is properly deployed, configured and, as networks
and IT environments change and grow, that the corresponding security technology
is updated appropriately.<span style="">&nbsp; </span>In other
words, security needs to be <b style="">managed</b>
more effectively.<span style="">&nbsp; </span></span></p>
<p class="MsoNormal" style=""><span style="font-size: 10pt; color: black;">&nbsp;</span></p>
<p class="MsoNormal" style=""><span style="font-size: 10pt; color: black;">In the recent (published today recent) </span><a href="http://www-03.ibm.com/security/landscape.html">IBM X-Force Trend and Risk Report</a><span style="font-size: 10pt; color: black;">, we wrote extensively on what we're calling the "year of the
security breach."<span style="">&nbsp; </span>Over the course
of the last year it seems like every week has brought with it a new headline,
and the landscape of attackers has become as diverse as the organizations they
target.<span style="">&nbsp; </span>We are seeing everything from
targeted state sponsored attacks, to organized crime, to politically and
socially motivated attackers to those motivated by notoriety.<span style="">&nbsp; </span>While each of these groups have different
sets of skills, tolerance to risk and ultimate objectives, the impact they have
had on businesses has been significant across the board.<span style="">&nbsp; </span>You might expect that the most sophisticated
attackers have been responsible for the most damaging attacks, but that isn't
necessarily the case.<span style="">&nbsp; </span>Many inexperienced
attackers who use automated tools (that often come complete with help and
support) have been extremely successful at stealing information and damaging
organizations, both financially and otherwise.<span style="">&nbsp;
</span></span></p>
<object height="315" width="560"><param name="movie" value="http://www.youtube.com/v/1Gcob5UwRQ8?version=3&amp;hl=en_US"><param name="allowFullScreen" value="true"><param name="allowscriptaccess" value="always"><embed allowfullscreen="true" allowscriptaccess="always" src="http://www.youtube.com/v/1Gcob5UwRQ8?version=3&amp;hl=en_US" type="application/x-shockwave-flash" height="315" width="560"></object>
<p class="MsoNormal" style=""><span style="font-size: 10pt; color: black;">&nbsp;</span></p>
<p class="MsoNormal" style=""><span style="font-size: 10pt; color: black;">For a long time, many circles came to view
security as a technical challenge.<span style="">&nbsp; </span>How
good is my IPS?<span style="">&nbsp; </span>Is it vulnerability or
exploit based?<span style="">&nbsp; </span>How effective is my patch
management strategy?<span style="">&nbsp; </span>How am I
successfully on-boarding and off-boarding users?<span style="">&nbsp; </span>What techniques am I using during application
development to ensure I'm not introducing new security vulnerabilities? </span></p>
<p class="MsoNormal" style=""><span style="font-size: 10pt; color: black;">&nbsp;</span></p>
<p class="MsoNormal" style=""><span style="font-size: 10pt; color: black;">Since then the world has changed a lot,
and it did so without changing much at all.<span style="">&nbsp;
</span></span></p>
<p class="MsoNormal" style=""><span style="font-size: 10pt; color: black;">&nbsp;</span></p>
<p class="MsoNormal" style=""><span style="font-size: 10pt; color: black;">We've seen an incredible number of
breaches over the course of the last year, but often times at the hands of
attacks that are anything but new.<span style="">&nbsp; </span>In
the vast majority of these cases, the technology to prevent these incidents is
commercially available.<span style="">&nbsp; </span>This reality is
forcing us to ask the question, if the technology isn't the problem, then what
is it?<span style="">&nbsp; </span>At this point, what we are really
left with is questions of investment and process, and these are not technical
challenges, but rather business and risk management challenges.<span style="">&nbsp; </span>The ability to manage risk effectively is
important because in today's world there is no such thing as complete
security.<span style="">&nbsp; </span>If there was, and you could
buy it, we wouldn't be having any these conversations.<span style="">&nbsp; </span>The reality is that because you can't achieve
perfect security (much less buy it), you need someone to make strategic
business decisions about where to focus your spend and skills.<span style="">&nbsp; </span>In this way the job description of today's
CISO is becoming less technical, and more focused on strategic business
objectives and outcomes.<span style="">&nbsp; </span></span></p>
<p class="MsoNormal" style=""><span style="font-size: 10pt; color: black;">&nbsp;</span></p>
<p class="MsoNormal" style=""><span style="font-size: 10pt; color: black;">Additionally, many new technologies today
are making it easier to connect and compute, and that general trend of
connectivity and shared resources is also introducing new risks.<span style="">&nbsp; </span>How can we effectively balance openness with
security?<span style="">&nbsp; </span>Cloud and mobile are
transformational platforms, but to adopt these technologies in the workplace we
need to be confident in their security capabilities.<span style="">&nbsp; </span>As the promise and value of these
technologies is so significant, instead of saying "no," it is
becoming the responsibility of the CISO to figure out the "how?"<span style="">&nbsp; </span></span></p>
<p class="MsoNormal" style=""><span style="font-size: 10pt; color: black;">&nbsp;</span></p>
<p class="MsoNormal"><span style="font-size: 10pt; color: black;">The events of the
last year have shown us that there need to be changes made in the way that many
organizations manage security.<span style="">&nbsp; </span>Security
needs to be handled as a strategic business challenge requiring ongoing evaluation
and management and not something that is not a one-time assessment/investment.<span style="">&nbsp; </span>As security becomes a more ingrained element
of business and IT transformation, we expect the role of CISOs to evolve
accordingly.<span style="">&nbsp; </span></span></p>
<p class="MsoNormal"><span style="font-size: 10pt; color: black;">&nbsp;</span></p>
<p class="MsoNormal"><span style="font-size: 10pt; color: black;">Download the Trend
Report </span><a href="http://www-03.ibm.com/security/landscape.html">here</a><span style="font-size: 10pt; color: black;">.</span></p>
<p class="MsoNormal"><span style="font-size: 10pt; color: black;">Read more about
our thoughts on the Evolving Role of the CISO </span><a href="http://www.instituteforadvancedsecurity.com/expertblog/tag/ciso/">here</a><span style="font-size: 10pt; color: black;">. <span style="">&nbsp;</span></span></p>
When it comes to security, the challenges
we face today are, in many ways, familiar business and IT challenges. &nbsp; Based on the events of the last year, two
really significant questions have come to the forefront of the security
conversation. &nbsp; The...003387urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community2015-07-17T23:37:26-04:00urn:lsid:ibm.com:blogs:entry-07a408a2-291f-4c9d-af3a-0310b4c00de3Business Analytics: Building a Smarter Game PlanWes Simondsyokist@adelphia.net120000EFD6activebcde08b8-816c-42a8-aa37-5f1ce02470a9Comment Entriesapplication/atom+xml;type=entryLikes2011-09-19T13:28:14-04:002011-09-19T13:41:24-04:00<div><i>The following contribution is by guest blogger Wes Simonds. Over the next few months, Wes will share with you his perspective on the role of software in transforming business and building a smarter planet. Wes worked in IT for seven years before becoming a technology writer on topics including virtualization, cloud computing and service management. He lives in sunny Austin, Texas and believes Mexican food should always be served with queso.</i><br>&nbsp;<br><b>Analytics help you compete better in the business arena</b></div>College football is my favorite sport, but for reasons unclear to me, it's not played every day of the year. <br>&nbsp;<br>So I find myself giving other sports a chance. This is often a learning experience.<br>&nbsp;<br>For instance: the recently completed US Open tennis tournament. Did you know it has an <a href="http://www.usopen.org/ibm/index.html?promo=ibmribbon">Official Technology Partner</a>?<div>&nbsp;</div>And that as of 2011, this Technology Partner does extensive, <a href="http://www.usopen.org/en_US/pointstream/index.html">customized analyses</a> on a match-by-match basis, to suggest what specific players must do to win any given match? <br>&nbsp;<br>I didn't. Neither did the sportscasters. I was surprised to hear that even jaded, seen-it-all John McEnroe was impressed with the detailed insight provided, which sounded much like this:<br>&nbsp;<br><i>To beat Djokovic, Federer will need to land more than 62 percent of his first serves from the ad court, and in that scenario, Djokovic is least likely to return serves right down the middle.<br>&nbsp;<br>To beat Federer, Djokovic will need to concentrate on Federer's relatively weak backhand, targeting it 43 percent or more of the time, especially in volleys at the net.</i><br>&nbsp;<br>Wow, I thought. "This goes way beyond sabermetrics in baseball, which is mainly about individual players' relative strength. This is nothing less than a tailored, prioritized game plan driven by deep analysis of hard data. It tells players how well they're doing, where they're weak and strong, what kinds of risks are coming up, and what they need to do to achieve their goals. And it does that in as much or as little detail as they need.<br>&nbsp;<br>Then I thought: What if businesses could leverage this kind of software to do much the same things?<br>&nbsp;<br>Then I thought: They can. That's what business analytics is all about.<br>&nbsp;<br><b>Don’t be an analytics have-not</b><br>Mychelle Mollot, IBM Vice President of Worldwide Marketing for Business Analytics, makes a very similar case. <br>&nbsp;<br>"For our customers, analytics is really a tool to help them compete," Mollot said. "People have to discover new ways to differentiate, be competitive, and find new areas for growth. Many organizations are turning to IBM for analytics to help them make sense of their data in order to drive better business outcomes."<br>&nbsp;<br>Think of data as a stockpile of valuable, but hidden, insights. Discovering those insights requires analytics tools capable of sifting through the stockpile and detecting trends and patterns. Then, based on the insights, business leaders can create strategies to help the business grow.<br>&nbsp;<br>Practically every organization, in every industry, can benefit from quantified analysis of the available data. This is particularly true if little or no analysis along those lines is being performed right now. <br>&nbsp;<br>"We see that not just in our own experience with our customers," said Mollot, "but the data [in general] shows it as well. In the studies we've done, [there is a clear] divide between the Analytic Haves and the Analytic Have-Nots. <br>&nbsp;<br>"And the more that organizations fall behind in terms of their analytic usage and their analytic capabilities, the more their performance is going to be impeded by it."<br>&nbsp;<b><br>Recognize trends and patterns faster and more accurately</b><br>As just one specific example, consider the business context of insurance providers. The entire insurance business is, at its heart, driven by statistical analysis -- an attempt to assess various forms of risk on a mass scale in order to provide financial protection for clients against undesirable events. <br>&nbsp;<br>But going beyond that form of analysis, there is also the issue of claim evaluation. Insurance providers sometimes receive fraudulent claims; the faster and more accurately such claims can be identified and dealt with, the better the business outcome for the insurance provider. And that, in turn, will translate into value for policyholders in the form of lower premiums.&nbsp; <br>&nbsp;<br>Detecting just which claims are fraudulent, though, is a complex matter. It's also an opportunity for analytics tools to shine.<br>&nbsp;<br>Such was the recent experience of Infinity Property and Casualty Corporation, an Alabama-based automobile insurance provider that covers drivers identified as higher-than-normal risks. This organization provides 24x7 service, handling between 25,000 and 35,000 claims per month -- a vast data pool of ever-increasing size, and one in which a certain percentage of claims are going to be fraudulent. Being able to pinpoint those claims rapidly and correctly is thus a crucial aspect of Infinity's business model. <br>&nbsp;<br>Thanks to a new set of analytics solutions and modeling techniques, the organization has managed to achieve exceptional results. Via sophisticated predictive models, claims can now be flagged as suspicious and referred to a special investigative unit in one to three days instead of a month. And they are now much more likely to involve actual fraud once they're investigated. <br>&nbsp;<br>Furthermore, this approach pays a second dividend in the case of routine, legitimate claims. These can now typically be paid in one day, instead of a week or more.<br>&nbsp;<br>The <a href="http://www.ibm.com/common/ssi/cgi-bin/ssialias?infotype=PM&amp;subtype=AB&amp;appname=SWGE_YT_YT_USEN&amp;htmlfid=YTC03283USEN&amp;attachment=YTC03283USEN.PDF">business result for Infinity</a>? Twice the accuracy in identifying fraud and swifter claim processing in all cases, leading to a 403 percent return on investment.<br>&nbsp;<br>That's an impressive result by anybody's standards. <br>&nbsp;<br>Cases like that also illustrate just why leading IT providers are focusing more and more on analytics solutions: there is an increasing market demand for them.<br>&nbsp;<br>"In terms of a growth strategy, IBM is investing in analytics, as we have seen from the recent acquisition announcements over the last year: SPSS, OpenPages, Clarity, Netezza, BigFix and now recently <a href="http://www.ibm.com/press/us/en/pressrelease/35176.wss">Algorithmics</a>," said Mollot. "It is a core strategy for IBM because it's core to the success of our customers. We really believe that analytic-driven organizations are going to outperform those that are not analytic-driven."<br>&nbsp;<br><b>Pursue analytics via a tailored strategy that reflects your specific context</b><br>If Mollot is right about that -- and I think she is -- then the question is not whether organizations need to deploy analytics tools, but how. <br>&nbsp;<br>For best results, they should think through not just what their challenges and goals are, but also how to implement and integrate new analytics capabilities over time. The idea should not be just to buy and install analytics solutions, but also to drive positive change via an analytics strategy.<br>&nbsp;<br><b>Some points to consider:</b><br>&nbsp;<br><i>1. Find out how mature your analytics strategy is right now -- and what you should do next.</i><br>&nbsp;<br>You can accomplish this by <a href="http://www.ibm.com/software/analytics/aq/index.html?i.user1=&amp;mc=">taking a quick analytics quotient (AQ) test</a>. Given the results, determining the next logical steps should be much more straightforward.<br>&nbsp;<br><i>2. Consider analytics capabilities from both tactical and strategic perspectives.</i><br>&nbsp;<br>Often, a balanced approach is best. One way to go about that: think strategically (in terms of designing the system), but act tactically (in terms of creating pilot projects). <br>&nbsp;<br>For instance, you might begin with analytics-driven direct marketing, but over time expand into much more specific analyses of customer data, such as the probability they will buy any given product or service.<br>&nbsp;<br><i>3. Evolve your strategy and capabilities over time.</i><br>&nbsp;<br>As your business changes, so will your data, your customers, and your strategies. You'll need to grow and refine your analytics capabilities in parallel. <br>&nbsp;<br>In many cases, analytics can also help organizations understand change better, revealing not just new possibilities, but also false conclusions or unexpected gaps in their market awareness.<br>&nbsp;<br>"Customers often find that the more they know, the more they realize they <i>don't</i> know," said Mollot. "That's what drives the next set of projects: the opportunity to learn more. Analytics is an ongoing process that [empowers] people at the point of impact with the ability to make decisions. So it becomes a cultural change as well as a technology and transformational journey."<br>&nbsp;<br>How is your organization using analytics?<br>&nbsp;<br><b>Additional Information:</b><br>&nbsp;<br><b><a href="http://www.ibm.com/software/products/us/en/category/SWQ00">Discover what IBM offers to help you improve you business analytics – and your business</a></b><br>&nbsp;<b><br><a href="http://www.ibm.com/software/data/2011-conference">Register for Information on Demand 2011</a></b><br>&nbsp; <br><b>About the author</b><br>Guest blogger Wes Simonds worked in IT for seven years before becoming a technology writer on topics including virtualization, cloud computing and service management. He lives in sunny Austin, Texas and believes Mexican food should always be served with queso.<br>
The following contribution is by guest blogger Wes Simonds. Over the next few months, Wes will share with you his perspective on the role of software in transforming business and building a smarter planet. Wes worked in IT for seven years before becoming a...006658urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community2015-07-17T23:37:26-04:00urn:lsid:ibm.com:blogs:entry-a59cf868-9160-4091-97ae-11d13da8fcbbOver 8,000 New Vulnerabilities Disclosed in 2010- That's a RecordBryan CaseyBFCASEY@US.IBM.COM270003BSJVactivebcde08b8-816c-42a8-aa37-5f1ce02470a9Comment Entriesapplication/atom+xml;type=entryLikes2011-03-31T15:20:33-04:002011-03-31T18:20:23-04:00<p>Twice a year our X-Force team releases their insights and observations on the security landscape, and today we’re <a href="http://www.prnewswire.com/news-releases/ibm-x-force-report-2010-marked-a-year-of-sophisticated-targeted-security-attacks-118995909.html">announcing </a>the release of the <a href="http://www-03.ibm.com/security/landscape.html">IBM X-Force 2010 Trend and Risk Report</a>. In 2010 we saw the continued rise in the number of disclosed vulnerabilities as well as the continued prevalence of web application vulnerabilities. However, 2010 also gave us a lot of new things to mull over. We’re seeing sophisticated threats and attackers become more prevalent then ever before. Mature exploit code for mobile devices, while not yet commonplace, is becoming increasingly more available. We saw spam volumes rise dramatically before tapering off and the SQL slammer completely vanished.</p><embed allowfullscreen="true" allowscriptaccess="always" height="349" src="http://www.youtube.com/v/Rzk3IdaNCY0?fs=1&amp;hl=en_US" width="560" /> <p>This week I sat down with Tom Cross, Manager X-Force Threat Intelligence and Strategy to discuss in a bit more detail some of what we’ve seen over the course of the past year as well as what we should be looking for in years ahead.</p><div> </div><p><b>Bryan: So, let’s start with this number. 8,562 vulnerabilities disclosed last year. This is a 27% increase from 2009 and is the most ever disclosed in a single year…What’s driving this rapidly increasing number and is it something that is necessarily cause for concern? </b></p><div> </div><p><b>Tom</b>: We think this increase is a consequence of software development houses taking the security of their software more seriously. Many companies that develop software are currently investing in improvements to development and quality assurance processes that are intended to identify and eliminate security vulnerabilities before products are shipped to customers. However, there is a lot of code out in the field right now that didn’t benefit from the latest in software engineering practices and so vulnerabilities are getting discovered that have to be patched.</p><p>It’s not necessarily a cause for concern. It represents progress toward a safer internet – but for those of us who work on remediating vulnerabilities and defending networks from attacks that target them, it means we’ve got a lot more work to do.</p><div> </div><div><div><p><b><b>Bryan: Do you anticipate that vulnerability disclosures will continue increasing in 2011 at the rate they did in 2010? Will we reach 11,000 next year? </b></b></p><div><b> </b></div><div><b><b>Tom</b>: </b>As improved software engineering practices result in better code out there I think that we will eventually round the corner and start seeing sustained decreases in these numbers, but it is hard to predict exactly when that will happen. We thought we were already on the way last year, and then this year surprised us. The total number of vulnerability disclosures has been up and down for the past 4 years, so next year’s totals are anybody’s guess. <br /></div><div> </div></div><div><b><b>Bryan: The new report mentions that often exploits are released tens to even hundreds of days after the public disclosure of the vulnerabilities they target. Why does this happen? Are exploit writers just slow? </b></b></div><div><b><b><br /></b></b></div><div><b><b>Tom:</b> </b>We think that the bad guys develop exploit code quickly after vulnerabilities are disclosed. In some cases exploits are circulating before disclosure. But they aren’t made public. They are used to break into computers. Eventually, as systems get patched, these exploits become less valuable as attack tools, and some of them find their way onto public websites and mailing lists that we track.</div><div><p>The fact that this is taking a long time indicates that people aren’t patching quickly enough. The window of opportunity for an attacker has two components: the amount of time between vulnerability disclosure and patch release, as well as the amount of time between patch release and installation. In some cases it can take a long time for software vendors to release patches, but they are often made available quickly, particularly for critical issues. We think that attackers are holding on to exploits for a long time primarily because those patches aren’t getting installed everywhere that they need to be.</p><p>Fixing this requires improvements in endpoint management. Network managers need to know what computer systems are on their network, what software is on those computer systems, what vulnerabilities are in that software, and what patches are available. This is an area that is going to be a focus for both technological and operational development over the next 5 years. Of course, it also makes sense to have good threat prevention in the network as well.</p><div><b> </b></div><p><b><b>Bryan: We see some recurring year to year trends in this report, such as the significance and prevalence of web application vulnerabilities. However, I’m curious what’s new this year. What’s changing in the security landscape that people need to be aware of? </b></b></p><div><b> </b></div><div><p><b><b>Tom</b>: </b>Lots of new technologies – such as Mobile and Cloud, Virtualization, IPv6 and DNSSec. We keep making new software and software systems that have new security implications. While we’re getting better at making software, it still has a maturity lifecycle. When a new software program is released there are very few vulnerabilities that have been disclosed in it, but the code hasn’t had much of an opportunity for independent audit and real world use. Over time, people find bugs, and the number of known vulnerabilities in that software increases. Eventually, if the software remains static, it can reach a stable state where few new vulnerabilities are being discovered. However, most commercial software doesn’t remain static. New features are added. Things are changed. Product management occurs. Entirely new technologies like IPv6 can present large code bases to the Internet that haven’t been subject to much real world use. There are bugs in there, and also people need to learn how to deploy these technologies safely and that takes time as well.Another notable thing that happened this year is broadening awareness of sophisticated, targeted attacks that may be state sponsored. These kinds of attackers are hard to keep out of a computer network. They really do their homework on the organizations they are targeting and they are very patient. They are also coming at you with vulnerabilities that no one else knows about and custom trojans with covert command and control protocols. It’s a hard problem. A few years ago it was a problem that only governments and other critical sites had to worry about, but the sorts of organizations dealing with this today seem to be widening.</p><div><b> </b></div><p><b><b>Bryan: It seems like there’s a lot happening in the security world right now. From the continued rise of advanced persistent threat, to mobile platforms and cloud computing each introducing new risks and challenges, to the scale and sophistication of an attack like Stuxnet…security seems to be everywhere and I’m hoping you can boil some of this down for us. As we look back on 2010, what were the key things we learned? What should we expect to see in 2011? </b></b></p><div><b> </b></div><div><b><b><b>Tom</b>: </b></b>Concerns about things like Advanced Persistent Threat are driving the adoption of different approaches to network security, which includes more physical network segmentation, better endpoint management and awareness, better log retention and analysis, and a more forensics driven approach. All of these developments make networks more resilient against everyday threats.I think that Stuxnet also shined a light on the risks that customized industrial control systems face. Computer security people are familiar with being ignored when we point out potential risks until a real event occurs. People have been talking about the computer security risks of Internetworked control systems for years. Hopefully now those warnings will not be ignored.</div><div><p>What should we expect to see in 2011? I think Wikileaks has gotten people thinking about information control in their organizations. What stuff does your enterprise know that is just sitting out there on internal file servers and could easily be leaked on the Internet by a disgruntled employee? A clear set of best practices has yet to emerge around this but people are starting to think about how Data Loss Prevention and Watermarking technologies might be brought to bear on the problem.</p><p>But, I expect 2011 to surprise us. Every year there are developments that we don’t anticipate. A few weeks ago the SQL Slammer worm all but disappeared from the Internet. Computers infected with that worm have been a reliable source of malicious traffic on the Internet since the worm first emerged back in 2003. One day in March, poof, the thing just disappears. We’re currently looking through the evidence that we have to see if we can find an explanation, but so far it is proving illusive. The Internet is a big place – it’s unpredictable.</p><div><b><b> </b></b></div><div><b><b>For other Trend Report highlights, including interactive graphics, please see my recent post on the IBM Institute for Advanced Security. It can be found <a href="http://www.instituteforadvancedsecurity.com/expertblog/2011/03/31/announcing-the-ibm-x-force-2010-trend-and-risk-report/">here</a>. </b></b></div></div></div></div></div>
Twice a year our X-Force team releases their insights and observations on the security landscape, and today we’re announcing the release of the IBM X-Force 2010 Trend and Risk Report . In 2010 we saw the continued rise in the number of disclosed...002598urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community2015-07-17T23:37:26-04:00urn:lsid:ibm.com:blogs:entry-03302b0d-9325-4477-9e47-3d018c13deeeQuick: What has 149 horsepower, gets 126.7 miles per gallon…and runs on 10 million lines of code?Mark ScapicchioSCAPICCH@US.IBM.COM270000CV2Jactivebcde08b8-816c-42a8-aa37-5f1ce02470a9Comment Entriesapplication/atom+xml;type=entryLikes2010-12-02T11:14:08-05:002010-12-02T11:19:20-05:00<p>The answer is the Chevy Volt – a first-of-its kind hybrid automobile and the 2011 Motor Trend Car of the Year. <a href="http://bit.ly/f2UyAd" style="font-weight: bold;">IBM Rational software (together with IBM supercomputers and simulation software) played a significant role in the development of the Volt</a>.</p>
<p>The phrase ‘X of the future’ gets thrown around pretty liberally, but the Volt actually earns the ‘car of the future’ title by being unlike any other car – or any other hybrid – anyone has ever driven. It’s the first hybrid that can run on battery power only, OR on electricity generated by a gas-powered motor, OR on gas only (at a pretty damn economical 40 mpg). And on-board software, developed using Rational tools, enables everything from the Volt’s space-aged graphical dashboard, to a system that picks the most fuel-efficient hybrid mix based on preference or driving style, to a smartphone app that lets the justifiably smug owner remotely monitor the Volt’s battery and fuel levels, or warm up the interior.</p>
<p>An IBMer might say the Volt is <i>the rolling definition of a ‘smarter product.’</i> Even Motor Trend calls it “the world’s first intelligent hybrid.”</p>
<p>Here are few links for getting to know the Volt:</p>
<p><ul><li><b><a href="http://bit.ly/fNNZ9y">The IBM Volt Press Kit</a></b> includes a great video in which GM folks explain the role of IBM Software in the Volt’s development. (Favorite fun fact: 6 million lines of code in an F-35 fighter, 10 million lines of code in a Volt.)</li></ul></p>
<ul><li><b><a href="http://bit.ly/fAy8TI">The ‘Volt Unplugged’ tour stops at IBM in Raleigh</a></b> – and 600+ IBMers wait in line for a test drive.</li></ul><br />
<ul><li><b><a href="http://bit.ly/eknVUd">2011 Motor Trend Car of the Year: Chevrolet Volt</a></b>. One indication that the Volt is unlike any previous car is that this article is unlike any previous Motor Trend Car of the Year article. It actually includes the phrase “systems integration.”</li></ul><br />
<ul><li><b><a href="http://bit.ly/gqHPD0">Chevy Volt on Wikipedia</a></b>. Links from this article explain such terms as “serial hybrid” and “parallel hybrid,” which help you understand how the car works.</li></ul><br />
<ul><li><b><a href="http://bit.ly/fBBFlp">The official Chevy Volt web site</a></b>. Just in case you decide 126.7* miles per gallon would look good in your garage.</li></ul><br />
*Motor Trend estimate<div> </div>
The answer is the Chevy Volt – a first-of-its kind hybrid automobile and the 2011 Motor Trend Car of the Year. IBM Rational software (together with IBM supercomputers and simulation software) played a significant role in the development of the Volt .
The...003820urn:lsid:ibm.com:blogs:entries-97050e2c-bec8-4274-a3ee-4432f0a1f4bcIBM Software Community2015-07-17T23:37:26-04:00